Indeed Job Search 2.5 iOS API – Multiple Vulnerabilities

  • 作者: Vulnerability-Lab
    日期: 2014-10-15
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/34981/
  • Document Title:
    ===============
    Indeed Job Search 2.5 iOS API - Multiple Vulnerabilities
    
    
    References (Source):
    ====================
    http://www.vulnerability-lab.com/get_content.php?id=1303
    
    
    Release Date:
    =============
    2014-10-13
    
    
    Vulnerability Laboratory ID (VL-ID):
    ====================================
    1303
    
    
    Common Vulnerability Scoring System:
    ====================================
    3.6
    
    
    Product & Service Introduction:
    ===============================
    Find jobs using Indeed, the most comprehensive search engine for jobs. In a single search, Indeed offers free access to millions of jobs from thousands of 
    company websites and job boards. From search to apply, Indeed’s Job Search app helps you through the entire process of finding a new job. Since 2004, Indeed 
    has given job seekers free access to millions of jobs from thousands of company websites and job boards. As the leading pay-for-performance recruitment 
    advertising network, Indeed drives millions of targeted applicants to jobs in every field and is the most cost-effective source of candidates for thousands 
    of companies. We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems.
    
    (Copy of the Homepage: https://itunes.apple.com/us/app/job-search/id309735670 )
    
    
    Abstract Advisory Information:
    ==============================
    The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official Indeed.com `Job Search` v2.5 mobile web-application (api).
    
    
    Vulnerability Disclosure Timeline:
    ==================================
    2014-10-13: Public Disclosure (Vulnerability Laboratory)
    
    
    Discovery Status:
    =================
    Published
    
    
    Affected Product(s):
    ====================
    Indeed.com (Bug Bounty)
    Product: Job Search - Mobile Application API 2.5
    
    
    Exploitation Technique:
    =======================
    Remote
    
    
    Severity Level:
    ===============
    Medium
    
    
    Technical Details & Description:
    ================================
    1.1
    A persistent input validation web vulnerability has been discovered in the official Indeed.com `Job Search` v2.5 mobile web-application (api).
    The persistent vulnerability allows an attacker to inject own script codes on the application-side of the vulnerable online-service module.
    
    The vulnerability is located in the main job search input field of `Was Stichwort, Jobtitel oder Unternehmen` and `Wo Ort, Bundesland oder Postleitzahl`.
    A local low privileged user account is able to inject script codes by usage of the regular search `Jobs finden` button. The injection request runs through 
    the mobile api and is not parsed or encoded. The attacker injects his code to the input field and can execute the code in the results page through the mobile api.
    The first execution occurs on the client-side of the application.
    
    After the first search request, the application remembers the strings and saved the information (application-side). The already injected client-side request with 
    the malicious code changes to the application-side attack because of the stored db context in the user profile. During the test we used js, html tags and php code 
    to exploit the issue and verify. The input executes frames, images and script code in the results page on the header were the vulnerable `stichwort` and `ort` 
    values are located. The input of the search and also the input of the stored information can be reviewed in the backend whichs needs to be verified by an higher 
    privileged indeed account.
    
    The security risk of the vulnerabilities are estimated as medium with a cvss (common vulnerability scoring system) count of 3.9. Exploitation of the security issue 
    requires low user inter action & a registered low privileged mobile web application user account. Successful exploitation of the security vulnerability results in 
    session hijacking (user/manager/admin), persistent phishing, persistent external redirects or persistent manipulation of affected or connected module context.
    
    
    Vulnerable Application(s):
    				[+] Indeed.com - Job Search v2.5 iOS Mobile Application (API)
    
    Request Method(s):
    				[+] POST
    
    Vulnerable Module(s):
    				[+] Was Stichwort, Jobtitel oder Unternehmen
    				[+] Wo Ort, Bundesland oder Postleitzahl
    
    Affected Module(s):
    				[+] Job Search Results
    				[+] History - Vorherige Job suchen
    
    
    1.2
    A client-side cross site scripting vulnerability has been discovered in the official Indeed.com `Job Search` v2.5 mobile web-application (api).
    The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions informaton by client-side cross site scripting requests.
    
    The vulnerability is located in the `Empfänger` input of the `Job Suche > Wähle Job Angebot` module. Local low privileged user accounts are able to inject 
    script codes to the empfänger input field of the iOS application. The result is a client-side script code execution in the context of the main job result 
    next to the page bottom. The attack vector is non persistent and the method to inject the malicious code is POST.During the test we used js, html tags 
    and php code to exploit the issue and verify. The execution of the injected code occurs directly after the request through the api at the bottom of the job 
    article page next to the vulnerable `Empfänger` input.
    
    The security risk of the vulnerability is estimated as mediumwith a cvss (common vulnerability scoring system) count of 3.6. Exploitation of the security 
    issue requires low user inter action and no privileged mobile web application user account. Successful exploitation of the security vulnerability results in 
    session hijacking (user/manager/admin), non-persistent phishing, non-persistent external redirects or client-side manipulation of affected or connected module context.
    
    Vulnerable Application(s):
    				[+] Indeed.com - Job Search v2.5 iOS Mobile Application (API)
    
    Request Method(s):
    				[+] POST
    
    Vulnerable Module(s):
    				[+] Job Suche > Wähle Job Angebot
    
    Vulnerable Input(s):
    				[+] Empfänger
    
    Affected Module(s):
    				[+] Job Suche > Job Angebot (Bottom > Empfänger)
    
    
    Proof of Concept (PoC):
    =======================
    1.1
    The persistent input validation web vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction.
    For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
    
    Test Account:
    Username: bkm@evolution-sec.com
    Password: keymaster148
    
    
    Manual steps to reproduce the vulnerability ...
    
    1. Install the indeed job search v2.5 application for apple iOS (https://itunes.apple.com/us/app/job-search/id309735670)
    2. Open the service and register an account
    3. Login to the account
    4. Open the main job search module
    5. Inject your own script code payload to the vulnerable two input fields
    Note: Both input fields run directly through the api of the mobile application
    6. You get redirected to the results page were the execution takes place on top of the webpag context
    7. Client-side reproduce successful!
    8. Now we go back to the regular profile in the main app index search
    Note: The mobile app allows to save the already requested context of an exisiting search (history search)
    9. The `Vorherige Job suchen` allows to request the saved context and the client-side issue is now an application-side vulnerability
    10. Successful reproduce of the vulnerability!
    
    
    1.2
    The non-persistent cross site scripting vulnerability can be exploited by remote attackers without privileged application user account and with medium or 
    high user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
    
    1. Install the indeed job search v2.5 application for apple iOS (https://itunes.apple.com/us/app/job-search/id309735670)
    2. Open the service and register an account
    3. Login to the account
    4. Open the main job search module and search for any existing job name
    5. Click the exisiting job article and scroll down to the page bottom
    Note: The application uses the `Empfänger` to notify users and the seeker
    6. Inject to the `Empfänger` input field your own payload and save by usage of send
    7. The code execution occurs directly next to the vulnerable input field
    Note: The context through the mobile api gets wrong validated which results in the client-side execution of code
    8. Successful reproduce of the client-side vulnerability!
    
    
    Picture(s):
    			../1.png
    			../2.png
    			../3.png
    			../4.png
    			../5.png
    			../6.png
    			../7.png
    			../8.png
    			../9.png
    			../10.png
    			../11.png
    			../12.png
    			../13.png
    			../14.png
    			../15.png
    			../16.png
    
    
    Solution - Fix & Patch:
    =======================
    1.1
    The first issue can be patched by a secure parse and encode of the results page were the vulnerable values execution occurs.
    Filter and restrict the input of the search through the mobile ios api to prevent further persistent and non persistent attacks.
    
    1.2
    To parse the second vulnerability it is required the encode the Empfänger input field which is present in every job article. The input needs to be parse the value 
    to ensure attackers are not able to execute client-side attacks against customers to compromise (hijack) session information.
    maybe it is wise to implement in the mobile api and app a new exception for invalid requests.
    
    
    Security Risk:
    ==============
    1.1
    The security risk of the persistent and non-persistent input validation web vulnerability in the result page is estimated as medium.
    
    1.2
    The security risk of the non-persistent cross site scripting web vulnerability in the `empfänger` value is estimated as medium(-).
    
    
    Credits & Authors:
    ==================
    Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
    
    
    Disclaimer & Information:
    =========================
    The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either 
    expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers 
    are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even 
    if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation 
    of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break 
    any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
    
    Domains:www.vulnerability-lab.com 	- www.vuln-lab.com			 		- www.evolution-sec.com
    Contact:admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	 		- admin@evolution-sec.com
    Section:dev.vulnerability-db.com	 	- forum.vulnerability-db.com 		 		- magazine.vulnerability-db.com
    Social:	twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	 		- youtube.com/user/vulnerability0lab
    Feeds:	vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php 		- vulnerability-lab.com/rss/rss_news.php
    Programs: vulnerability-lab.com/submit.php	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/
    
    Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
    electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
    Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
    is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
    (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
    
    				Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
    
    
    
    -- 
    VULNERABILITY LABORATORY RESEARCH TEAM
    DOMAIN: www.vulnerability-lab.com
    CONTACT: research@vulnerability-lab.com